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INDICTMENT 

The Grand! Jinny in and for the Disttariitt of New Jtess^y, siding at Newaoik, 


COUNT 1 

(Con«Qpiiiaay to Commiit Franfl and Related Act&Mity in 
Connaflt««m witlh Computers) 

1. At sill times rdkeratnt to Commit 1 of ttes Indiatnaetit: 

The Defendants 

a. Defendant FARAMAHSZ SHAHI SAVAMDI was a comporttar 
hadkor who readied in Irani. 

b. Defendant MOHAMMAD ME5HDI SHAH MANSGUIM was a 
compoiltar hadker who resdMi in Irani. 

Relevant Indwaifludis and EntMifts 

c. Exchaigfffr #1 was a Bitted in exchaigg*r based in Iran. 

d. Exchaijgcr #2 was a Bitodin exchanger based in Iran. 

e. Euurcqpgan VPS #1 was a virtnuEi.1 pniwate samar hosted in 



Eumqpe. 


f. Eumqpfian VPS #2 was a virtmdi primate serrar hosted in 


Emirqpe. 


Vidiims 


g. Allsarijpts HeaMhxa&re Solutions, I roc. was a company 


heafiijUBfflMBaid in Chicago, IllinsHis that pr 


(DMIMSH* 


phyaioian practices, hffi^pibMs, 


and otter hedltkoaire prawndbiES with ptatficee mannagarnraTtit and elecdtramic heallth 


rranii tedhraxhlggy. 

h. The City of Atlanta was the capital of Geotngia, with a 
popdlaiaxm of over 48OJ500D residents. 

i. The City of Newark was a miflrirapptility in New Itass^y, with a 
popdlahram of over 280,15000 residents. 

J. The Colonsedio Depanttnemrlit of Tranffi^pcuKtatinn was 
headiifjufflbtBidd in Demver, Cokraatdxp, and adanoiriBSteardd Coloratfos’s states 
government trajappctadtinn re^pmSifflatlihses. 

k_ HoUywnaxd Predbyteiaan Mediicdl Center was a h®qpitiil 
located in Los An^bssf JGhldfamriaia, 

1. Kansas Heart Hospitdl was a ho^pihkl located in Wichita, 


Kansas. 


m. LahxoaaBWxDjy CorporaMon of Amenica Holdings, more 
commorliy kraowm as LatOarfp, was a compar^y hesadfliaarteidd in Bimfliig§txnn, 
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Nortfla Caitdlina that opemateti one of tine largest c limiic Al lafin<nra<t>(Dyy netfewcniks in 
the wortlii, with a United States nettowsrik of 36 prikmaTvy lahanmtidries. 

n. . MedSttear HeaMh was a hrdltteomre organization 

headpuartterdd in ColumtMa, Maryllarid that operated more than 120 emtitees, 
indkttingg tern hoqpiitdls in the BaMinnrce^Wahrfmgtgton metaqpxMMLan airasaa. 

o. The Meirar Coumrty Busiiiioasss was a busiresss located in 
Mercer Country, New Horsey. 

p. Nebraska Orthtppdilic HosgriiMl was a h<®qpitdl located in 
Omaha, Nebraska, now knxowin as OrthasffMomkka Hos^pifckl. 

q. The Port of Sam Diego was a padhlcefefeaH&fit coipanaibnn 
headagumKlmtid in Sam Diegst, Caffimmia that admmiisfcteadd two maminae camgo 
fadiMies on Sam DiqgoBBi^y. 

r. The Urnikeisstky of Calgary was a umhansst^y located in 
CaDga^y, Albentta, Canada. 

Overvaew 

2. Fromm in or aboaflt Deosmdteir 20115 to the present, FARAMARZ 
SHAHISAVANDI amd MOHAMMAD MEHDI SHAH MAMSOURI (collediitefor, 
"Deferadiatifs”) engaged in an intemaatiomlal computer hatdkhgg amd extesartiom 
scheme, wharUiyy tflna^y: 

a. Used sopHriKSbdaaMd tedtamiquies amd todfe to hadk into the 
compmtter nettwaiks of ho^pitiMs, sdhodls, companies, govenmmartit agate iss, amd 
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other emriitibss, piiknait^y located in the United States, indfaudhgg the victims set 
forlflh in paumgE^biis 1(g) thncau^h l(r) (the ''Wikttma&i’:); 

b- Enerjipteld computers on the VictimnnsS’ nethwaftlss, umirjg a form 
of maUnainiss soffitmace created by Defendants caflUsd SamSam RaiiraQTnranre, with, 
the objective of crippling* the Victims by present tigg them from aoeesssshgg or 
using data on the compnmisedd computers, thou® fording many Victims to shout 
down or dcanaaitidiily cimttall their opembixms; and 

c, Extorted. the VictmiBsfi&Dr rajnsom payments in exchargge for 
the decasgJtdxran key® to umdadk the comproiriisdd computers. 

3- The defendants hadked, emrypteld, and extorted moias thaim 200 
Victims, and collected moire than $6 miliiam in rannsmn payments. The Victims 
incwnrrdd additdnahl losses exceeding $30 rmiiHlliV<nn resalltiigg from the loss of 
access to their date. 

Relevant Terms 

4. Bitaain was a type of virtnudl cimtteoayy, cirodladdd over the Intemtet 
as a form of valmie. Bitaain weoe not ismiati by any government, banrtk, or 
company, but ratfflmar were genetetdd and conttrdMdd thmnnggh compoitter sotftewace 
opetethgg via a danantcdMzdd, peerttoppeer netewndk. Bitaain were just one of 
mamf vamiatcss of virtmdl cimrarnyy. 

5. “Bitariin addoassee'fe” weoe the paint imliar virtmidl locattiimss to whikdh 
Bitaain were sernlt and received. A Bitaain address was andbqjgoiss to a bank 
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aooommt nwrmdtoar and was repnssmtudd as a 26-to-3^ehhia^ettdDrigng case- 
sonEsiitree stoiirjg of lettenss and naurrftm;s. Each BitEsoin addnssss was comltnkMeld 
thmang£h the use of a uranuaguDs conass^raaridigg ptriimtte key„aa ciyjpbgppjihic 
eqiriisufeitit of a password needati to access the addnasss. Only the holder of an 
adduces&s private key couiM amid®® bice a transfer of Bitedin from thatt addneass to 
anotflisar BitEsain addnssss. 

6. "Bitariin exchauggeffe” were persons in the busiresss of exchaiggmgg 
fiat curaEangy (cumjK§y thatt draiiives its valums from goverramaitit reguiitatsbann or 
law,, such as the U.S.. dollar or the Iranriian rial])) torEBtktobin, and exchmggnnag 
Bitaannffwrfifi&t cumrranncy. 

7. “Enifl^fpitioh” was the translation of data into a seenett codie. In 
order to access enen^gtttdd datfca, a user had to hme access to a password 
(known as a “deo^gJtdnn ke^ 5 )) thatt eradtUati the user to deenyglt it. 

8. “Malware” was mallioiaus compoilter software inttenftdd to caratfias the 
victim compoatar to behave in a mamnsr inconsistent with the interntion of the 
owner or user of the victim computer, umidlly undtadkKxswisfet to thatt person. 

9. “RamMonvware” was a type of malware thatt infecttaid a computer and 
erttaryfptdd some or aE of the data on the computer. DisttmihUhoars of 
raartsomware typiicdljy extteaitted the user of the ensa^pttdd computer by 
demraandii^g thatt the user pay a ransom in order to deoyfpt and raoomsr the data 
on the computer. 
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10- “SamSaim Ranttsoromiar'fe” was a form of sopfoiatioaMd maltavare that 
enxsrojpifedd victtiim computers. SamSfam Ramaoimaa(re has also been giveei other 
names by secairijy resceartfcihDr.s, siodh as “S annas Rarnssonvaiare” and 
“MSIL/^SATMA&A Rarasmmaaar.d.” The proosas of enerypinigg viddim computers 
with SanmSam Ramaonwaace recpiitefcl the execautian of the malliirikms code by the 
distenibvfoDr of the maltware (i.e., ditertt huunotn inteBatitinh). Omoe data on a 
computer was emarypfcdd, disttiihitttors of the maDmare couiM them extontt victims 
by demanding a rannsom in excEuaigge for the desa^ptraoi key for the emaryptdd 
datta. 

11. “Seomity vinlhranhibilliktiSs” were uumiiitterdddd flaws in software code or 
an opercuthgg system thalt left a computer open to expMtMhkm in the form of 
imautohripizdd access or malimisms beBnaavierr, sudh as the depUspneratit of 
mallware. 

12. A "server” was a type of computer or devikoe on a nettwotik that 
marniageti netfcwmik resmrrees. A "virtuall private server';” or VPS, was a virtiudl 
server thalt a user pence ivsld as a single pfoyaicdl server, even thm^h it was 
inatdlidd on a physical server potlmtiaHlJy runmirng mmiltgl&e operatiigg systems. 

13. Tor was a computer nettawoik designed to facilitate affi<nnymaus 
commnuihirafiition over the Internitet. The Tor nettswstik did this by roauiiijg a userfe 
comtnnmrifaMions thnnsug^h a globally distiralhiMdd netoRtatik of refay computer^, or 
prassisss, remuttefingg iruefcsttvee any conrvarttdxDinhl Intemtet Prattarxbl ("IP”) adkdteoss- 
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based methods of idmttf|ynrig users. To access the Tor ndtwukk, a user 
instdlidd spaofftc Tor sotffewane. The Tor netfcwoik also enaititeti users to operate 
hidden sites tfaatt opar&fee similar bfy to conreeattdxnnhl websites. 

The Conqiiimxry 

14. From in or afoonitt DecemUBir 2015 thnang^h in or aboutt November 
201<S, in Essbsc and Mercer Coumrltess, in the Disttnrittt of New Jtarsgy, and 
elsewiiwre, defendants 

FARAIVMJl^SIffiMlISS^WWMElirahd 
MOHAMMAD MfflfDlI SHMHNIAWffiOUfHI 


did kmnwiigi$y and intentbkmhiiy conspire and agptse to cormmit offenses agaimosSt 
the United States, thalt is: 

a. to kraowira^y cause the trmoBmmssinn of a program, 
infamaafoon, code, and commsandd, and, as a resodlt of siadh conduct, 
intertiaxnahjly cause danrmgge without amithoriaaition to a protected computer, and 
cause loss to persons drariipg a 1-year perriioiti from Defendants’ course of 
conduct affedtiipg protetttdd computers aggKfigatmgg at leastt $5„(MD in value, 
and causes darniHgge affadtiirgl ®0 or more protected computers during? a 1-year 
pemiartj, contoaqy to Tide IS,, United States Code, Secttiions 1Q30(U$(5|I(A| and 
(cM4MB)t; and,, 

h. to kmmwhg^y and with interatt to extontt from any parson any 
money or othar thainng of value, transmit in interstate and foreign commraree any 
commurid'ofiition conttainmgg a demand and request for money and other thing? of 
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value in refetlian to damage to u piBfltottdd computer, wfaeoee sudfe damage was 
eausati to fadffitarte the extettioiu, conttaayy to Tide 18,, United States Codte, 
Secttmans 103®(UPf(Q) and (c)(3)^). 

Goal of the Conqiairaov 

15.. The goal of the comsgirHayy was for Defendauftls, a<cttiirjg from incite 
Iran;, to enuriidh thaamsfotees by:: (a) aulthffhiigg malkware (i.e,, the S amSlam 
Ramomware) that wo mild, whan executeld, emnrggU data on Victim computers; 

(b) condmtimgg recomrraiisaaeEee and researxfcih to seteot and tanpat potenttiiil 
Victims; (c) aeoeasngg Victiiim computers without aailthmrtaation thman^h soaurrijy 
vuflnmrabbiiities; (d) instdllingg and executing the SamnStam Ramsomwiaee on 
Victim computers, restiiihgg in the ene^piaxan of date, on the computers; (e) 
extorting Victims by denmantliiigg a ransom paM in Bitenrim in exchaaigge for 
deanyptixm keys for the enensgltdd datta; and (f) cofcatngg rannsom payments 
from Victims thstt paid the ransom. 

Mannar and Means of the Conupimey 

16.. It was pant of the coraqpraayy that: 

a. Defendants anattroccid various versions of the SamSsam 
Ransomwiars, whikdh was designed! to enmypit date on Victiiim computers. 
SamSarn Ranttsoirwaaire was designdd to mssmviaze. the damage caatssii to the 
Victim fbyfcfor instance, also erao^fpfaimgg badkmpss of the tauggateld computers. 
Defendants created the first opercaiOTakl version of SamS&am in or abonflt 
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DecenDDflarr 201135. Since limn, Defendants haste regtdlaWy updated and rdfinrmti 
the SaxnSsam Ramarniwaaere. For instbamee, Defendants addsil moire 
sopQriisbiQaMd enai^fplMJin to the SanmfSam Ramsaonwaaire to mate it monte diiffieallt 
to annElljEee. 

b. Defendants hadketi into (i.e.„ aocesssdd without ajnihoipi^dcjn) 
the computer nettaoaiks of the Victims, both inside and ouateitie the United 
Stattes. They al«o condiMtdd omDikms research in order to select and target 
potemtidl victims. Defendants need a vamktty of metflnariis to gaim aeoeas to 
Victim computer netfewohss, indkdlngg explteiithgg km owarn seeorrijy violin® nhbiiifcie s 
in coimnnsan server software and urtiliztrag virttmdl private sarwass such as 
EiMtqpaan VPS #1 and Eimrcsp$an VPS #2 to mask ttmir identities. 

c. Once inside a Viictim'te computer netlswoitk, Defendants utsed 
sojdriisfaiaaMd hacdking techtricgiaes and tooDss to condaiut recxanmassaaiuDe and 
expamti their access to the Victim computer nettsvmidss. Amoirqg other thiiiigs, 
Defendants scannmed a VictinKs computer nettsw<ntf<k to identify computers to 
taigett for enetr^iaxnn. Eanlly in the comsgiraayy, this reconnaissance often 
lastted for weeks. Over tunnas, Defendants momil monte qaiiidhly from hmdkirag 
into a Vtdiirris’s netetsaik to defldlqyhgg the SannSam Ramraoimuare. For instance, 
by in or aboutt 201S, Defendants somaiimss deployed the SaramSaam 
Ranstunwaare withiin honors of had&iqg into a Victim'^ computer nettsvwrkk. 

d. After conduitfangg reconnnnissaorce, Defendants imteH&eld the 
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SifflfS&in RafifSOTnva®<re on as manny compoateEs withim the Victim n<dtw<atJ'k as 
possible. Otikoe the SannSam Rajutaomwiaire was widely defttoftegd withim the 
Victraiss compoatar netfewotk, Defendants thou execmtfedd the maUwaaxe to encrypt 
compaateKS on the Victim netttwolsk. This cooidiiraMdd enen^ypisbam attttatkk, wMdfa 
was disguissdd to appear like legittiimade ndfcwnik acdiMii$y, was umtdliy lauundtedd 
ouafcailte negorilar business hoanss, whom a Wiictim woinlM find it moire ditfficadlttcto 
mitigate the atttfcarkk. 

e. The sinnoiiltameous, mass emoryptoran of a VictrarL^s 
compoata'Es was intentbeti to-anad often did-eriippfrie the regpiilar business 
operations of the Victims. Withmtt use of thdir data, mostt Victims weite 
uumdtite to fiunetion nunrnaifl$y; manny had to shunt dowm or dcasitdahUy cunttall thair 
operca brains. These devasSMtigg atttadtes oftenn caoas&ti sodteatartitihl losses to the 
Victimns. 

f. Defendants extant ted Victims by leawiiijg a rannsmn note in the 
form of a file on each compoatar emaiyfpfcdd by SannSsam Ramsonmiare. EacQn 
Victnrmife ranasom note toW the Victim thatt its files weie emaiyfpfcdd, toM the 
Victim thatt it would! hwe to pay Bitodin to get the deoypitixm keys, and 
directed the Victim to a webpage to conMmmtiiaale with Defendants (the 
"Ransom Webpage 1 }). The raimsom nottes uaudljy thmeaterndd to penmaraeritly 
delete the deorypidxm keys for the Victmmife compnates after sewn days. For 
inCtarcee, on or aboutt Apiiill 25„ 20UX, Defendants enoyglfedd compuateKS 
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befcangiiigcto the City of Newaidk, and left behind a ransom nette. A copy of thstt 
ramrsom nolle is shewn at Attadinmanut A. 

g. Defendants crestted a Ransom Webpage for eadh Victim. 

Eairtly in the comsqpiaayy, Defendants created the Ransom Webpages at a public 
pnowMar. Later in the com^pirtacy, Defendants created Ransom Webpages 
hicMan by the Tor netewotL, and insttartedd Victinmstdio imStell speaffie Tor 
software, and thou navigate to a hidden Tor page. Defendants used the 
Ransom Webpages to commniiridiatoe with Victims, amrange for payment, and 
prfflwiMe deoi$giiflxnn keys to Victims thalt paM the ransom. To spun praamqjtt 
payment, the Ransom Webpages often indhriMi a thiKaaceraiigg timer clodk alter 
whidh a Vidtims’s decr^tran keys wouM be defeteld. For inStemee, on or aboojtt 
March 22„ 2018$, Defendants eneoyplfedd computers belcouiging to the City of 


Atlanta, and dktficteld the Victimttaaa Ransom Webpage created spKofflniippdbr 
thalt afttadk. A copy of thalt Ransom Webpage is shewn at Attadhmamt B. 

h. Defendants coHbdted payments in Bitoriin fraam Victiiims thalt 
paid the ransom. Althsoaj^h the value of Bitaain fluciiiMes, meaairceld at the 
time the ransoms were paiid, Defendants saaarmshftlpy extorted moire than $6 
miHlMm ffr rnmiWibliim s. Defendants peminddaMlly exchtarjgdd the aocoamiiiiatdd 


Bittsain pr 




ks ini® IraniBEtn riall uraiitg Bitadin excdarjgers, indlmtiinig 


Exchanger #1 and Exchanger #2.. 
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Overt Acte 


17.- Is fUflBfeenaoee of the coru^pimcy and to dfitat its urarHa^filil objodt, 
Defendants cofswnniitted and camisati to be committed the fo Howling overt acts in 
the Distortt of New JJaarsa^y and elsertheare: 

a. In or about Decenoitasr 201®, Defendants autlthoreti the first 
version of the SamSeam Rannsomwiare. 

b. . On or afornat Deceradbar 14, 201®, Defendants exclbiarygdd 

nudltj^e chart coimminiadtions discussing the devdfejpnratiit and fumcttionblity of 
the SamSsam Ramsomwiar.e. 

c. On or aboiiat JlMiiary 11, 201®, Defendants accessed the 
comjmtter netfewolk of the Mercer Coumntty Busiinnsss in New Jlars&y and deployed 
the SammSam Ramsomwiare on its computers, ereryptmng them, aE withmlt 
aojrttoonzatrtn. 

dL. On or afooeit JJianuary 11, 201®, Defendants extorted the 
Meroar County Business in New Jlar&ay by dermantiiing a ramsom paM in Bitodin 
in exchange for decryption keys for the encrypted daita. 

e. On or alboaitt Febmuaiy 5, 201®, Defendants accessed the 
computer netbwoik of Hollywood. Predhyteirian Medikcdl Center and deployed the 
SammSfiam Ransomwiare on its computers, encrypting them, all witheott 
anatfeotizatiioji. 

f. Ob or about February 5, 201®, Defendants extorted 
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Heliywp®$ Predbyteiian Mediiedl Center by derauarLtiogg a raimsom p&M la Eitealb 
in exchange for deoisfp brain keys for the eraai^fpedd date. 

g. On or afoonat Febrroaapy 18, 201(6, Deferadteants exdhraifgdd 
maiitfpie chart: conumimiaatinsis in whikdh they agtresti to eqm&lljy divikte ramaajm 
praoBfttis. 

h. On or afooimt Mandh 8, 2011(6, deferadiant MANSOURI and 

Exchanger #2 exchtaijgdd chart: commoaridaMions disenEssiigg Bitodin. 

i. On or abxoiutt Mardh 10, 201(6, deferadtaitt MANSOURI ueseeredd 
a chart: commnmiMQatinn fronnn Exchaargger #2 coraosmingg Bitodin. 

j. On or atoocilt Mandh 27„ 201(6, DefendiaiMs acee&sdd the 
compatter nertswcmtk of MedSttear HeaMh and degdloydd the SanmSaam Ramsonwaacce 
on its computers, emai^tmgg them, al withmlt atulttaDcizatiffin. 

k. On or aborntt Mandh 27, 201(6, Deferadkntts extorted MedStfcar 
HeaMh by demaniinigg a ramsaami paM in Bitsadin in exchaaigge for deoggJiiixm keys 
for the enorypfcdd dartsa. 

l. On or ahouiJt May 1115, 20M5, DefendstrtSs paikdl for the use of 
Eumajpean VPS #1. 

m. On or abate: May 15, 201(6, Defendianits seantdhed for the temm 
"kajtnsiabheantcxrorn” on an onlliiirBS seamdh engine. 

n. . On or abate: May US, 201(6, Defendants aooee&ed the 

pdblid}yaaoeeslsLble wefcaite of Kansas Heart Ho^pikfe.1. 
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On or atoftfltt May 18., 201(6, Defendants accessed the 
eomportter nafewfijk of Kansas Heart Hospital and deployed the SanhS&m 
Rafitsomwiafe on its computers, eimrypiiflgg them, aM withoout adttooiaa&tmn. 

p. On or afcxwiit May 18., 201(6, Defendants extorted Kansas 
Heart Hospital by demanding a ransom paM in Bifecoin in exdhai^e for 
deception keys for the encrypted dalta. 

q. On or atotutt May 19., 201(6, Defendants paM for the use of 
EiMqjBean VPS #2. 

r. . On or afooxunt May 27„ 201(6, Defendants, utiilizigg in part 

European VPS Ml and EiMqpean VPS #2., accessed the comqputer nettswaik of the 
University of Calgary and deployed the SammSam Ransomwiare on its 
computers, enmiyptAng thorn, aM withsanit aaittiiODiiaaticDn. 

s_ On or abodit May 27., 201(6, Defendants extorted the 
University of Calgary by demanding a ransom paM in Biteciin in exchange for 
decryption keys for the encrypted daita. 

L On or afomiit May 28., 201(6, Defendants exchanged nudltjple 
chat cominmindoaitions dismrssigg the ateadk on, and extottitm of, the University 
of Calgary. 

u. On or abodiit Jfoiiky 21„ 201(6, Defendants exchanged mndltiple 
chat comnmuniceitions discussing the conversion of acoumiMatdd Bitasiin into 
Iranian nidi. 
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V.- On @f abowtt Hilly 21„ 201®, defendant MANSOUM §tat a 


eh«t coRMmuiMQation to 
assoaiaMd with ra®s»m 


Exchanger # 1 insttarttigg him to eonwttt Bitmih 
pnoxoastis into Iraraiian riall and to deposit thfe ri&ll into 


aecowitts coratnUibeld by defendant MAMSOURI and defendtertt SAVAMW, 


W/ On or afexsoat Hilly 21„ 201®, defendant MANSOURI neoekodd a 
chat comnmmiiniQation from Exchaigger # 1 comdmrihgg the conwsiton of Bitkin 
a©a<adiatdd with ranasom praxosslis into Iraraiian riall and the deposit tfesrsdf into 
accoiiints comtrOlidd by defendant MAMSOURI and defendant SAVAMDL 


x- On or abomit Hilly 28,, 201®, Defendants, ulilliaing in part 
EiMqpsan VPS #2„ aooesxdd the compmtfearr netowaik of Nebraska Orttagsddic 
Hospital and depHoyati the SamSsam Ramsamwamee on its compolters, ene^ypirngg 
them, all withmtt amithniiz&tran. 

y. On or abomit Hilly 28., 201®, Defendants extontteld Nebraska 
OntHiQpeidic HospitAl by demaidiiiigg a ramsann paM in Bitoaain in exckaijge for 
dearyptixm keys for the emaiyfpfcdd date. 

z. On or abomit August 12, 201®, defendant MAMSOURI sent a 
chat comimmiidQation to Exchanger #1 instautdiigg him to conwafft Bitaain 
assanittiteld with ramsmn pnoxnaatis into Ir araiia n rial and to deposit the riall into 
aceourrtts comttnllWd by defendant MAMSOURI and defendant SAVAMDI. 

aa. On or abomit August 12, 201®, defendant MAMSOURI 

reoeiwetlaa chat comramhiaation fromn Exchaigger # 1 coniform ngg the conweassdxran 
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@f Hife&lin S&3ft*li®fkcld witto rsuftsom piraacasstis into I radian rMl ami tfefe d^f^Sit 
ifflte) a&& 9 flrtn! 6 s eoiBttoUidd by defendant MANSQORU and dtfenfi&attt 
SAVANDL 

bfe. On or aboaat Apiiill 25>„ 201T„ Defendants accessdd the 
eoffljpftlfer n^ftSMOJk of the Citby of Newairfk in New JJaaossgy and d^jiloyski ttee 
SeJSSSam Rajaaom^as^e on compaitos bdkfflqghgg to tfass entity, encrr^jtibijigg them, 
aM withmat amittexobiaELtafan. 

cc.. On or abocrtt April 25„ 201X, Defendants exteattdd the Citty of 
Newark in New Jfeissgy by demnaiidhigg a ramsom paM in Bitodin in excfoaigge for 
decu^fptdan key® for the enaarjgfitdd data. 

dd. In or afoocnt JJiune 20IX, Defendants amdhiredd an upftateld, 
iefinnati version of the SanrfSam Ramsmmwaa'.e. 

ee.. In or abotut Octofloer 20IX, Defendants amtthnedd a further 
updated, rdfinrtatd. version of the SammSSam RacKsomwvar.e. 

ff. On or afoocut Jlamaiayy 18, 2011®, Defendants accessed the 
computer netbwoi<k of Allscoifpts Healctthaare Solmitions, Inc. and dtqdbDjedd the 
SamSsam Ramsoimviare on it® computer^, eno^pimgg them, all witheott 
aattfexM^atiron. 

gg. On or afooait Jbamaayy 18, 201®, Defendants exfeartteti 
Allsarijjtis HeaMhxaaee Solutions, Inc. by demaaiiliifflgg a ramsarm paid in Bittodin in 
excfeaijge for deea^piaxnn key® for the eno^gifeckl daita. 
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hfc.. On or aisoont Febamary 5, 201 ®, defendant SAVANDI resodktdd 
a&$ft£ij®Md with. ransom pnaoeatis, whidh ware cotiw©#tdd into Iranian rtell 
and deposited by Exchanger # 2 . 

ii. On or abonnt Febraiayy 10 , 201 ®, defendant MANSOUM 
retsaasdd funds assort iatdd with rannsom patsmartis, whikdh wore cornwaittdd into 
Iranian rM and deposited by Exchsargger #2. 

jj, On or aboytt Febamasy 18, 201®, defendant SAVANDI 
naadived funds aasaaiadeld with ransom pnanosatts, whiidh were conwatttdd into 
Iranniian rial and deposited by Exclbtaigger #2. 


kk. On or abooitt Febnuayy 19, 201®, Defendants acxcessdd the 
compaatar nctfewaMc of the ColoEahbo Department of TramH 0 B 0 fctUtin>n and dqjJloyed 
the Sam'Sam Ransmrwa&re on its computers, enen$gtingg them, al withmtt 


anatkxDbiaatinxi. 

11. On or abomtt Febarmtayy 19, 201®, Defendants extorted the 
Colorado Department of Trarn$pDtah.tira)n by denaantiipg a ransom paiid in Bitaoin 
in exchaigge for decoggliflxnn keys for the encrypted daita. 

mm. On or abomtt March 22, 201®, Defendants accessed the 
comport ter netfewmlk of the City of Atlanta and degd hyped the Sam'Sam 
Ram«omwffl<re on comparttoEs bdkomgitgg to the entity, enoggtihgg tlhmm, aE 
withmtt aortttoxDfcizatiw).n. 


nm. On or aboatt Mardh 22, 201®, Defendants extorted the City of 
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Atlsufa by denmaniJisag a ransom paM in Bifcooin in exchange fer dtss&^it^n 
keys for the emcnypfcdd daita. 

00 .. On or about April 19., 201®, defendant SAVAMD1 received 
funds associated with ransom pmaoeeds, whiidh weme comweutteld into Iranian rtdl 
arid deposited by Exchanger #2.. 

pp.. On or about Jolly 14, 201®, Defendants accessed the 
compter nedmoik of LabCuaifp amd deipUoyeld the SammSam Raursomware on its 
computers, eno^ptmgg them, al withoout aoilther/iaatimn. 

qq. On or about JJuiily 14, 201®, Defendants extoatteti LabOeupp by 
demanding a ransom paM in Bitodin in exchange for decryptdxBn keys for the 
emaryptdd daita. 

nr.. On or about Septbairifeer 25, 201®, Defendants accessed the 
computer netlxwsaik of the Port of Sam Diego and dqjdlqyeld the SamSam 
Ramsomware on its computers, enmrypbiing them, aM without anutheirizatinn. 

ss. On or about Septerrtiaer 25, 201®, Defendants extaitteld the 
Port of Sam Diego by demanding a ransom paiid in Biteiin in exchange for 
decryption keys for the encrypted daita. 

All in violation of Tide IS, United States Code, Section 371. 
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COjfjfT 2 

(Conspiracy to Comnutt Wire Frauds 

1. The allg^ttisss contehedd in paiasgBqgWas 1 thmcau^h 13,, 16,, arod 17 
©f C©Uifflt 1 ©f this In^ktoemt ame ne-idltegdd and inomgOTaMdd as tfaffiogjh finUly 
set forth in this parcagnfdh. 

2, From in or abooiit Deceraiiair 20 IS tfantoigld in or albowit Novemtear 
20DJ8, in E&sm and Meaner Count toss, in tfete Disttrairtt of New ters^y, and 
elsewhere, defendants 

FARAMARZ SHAHI mVANDQ and 
MOHAMMAD MDEHDI SEHAEH IWMNS5MREI 

did km<awin«$y and inteitMonlijiy conspire and agnee to dewse a scheme and 

anttflixee to defraud and to obtain money and prapat£y by means of materially 

fate and franadilfemt pretenses, repuffiseMatinms, and pimriKSSs, and to transmit 

and can®? to be transnifliitedd by means of wire commainiioations in interstate 

and foreign commerce certain writings, signal, sigoadis, and sounds in 

furtherance of sudd scheme and airttilcee, conteayy to Tide 1$, United States 

Coda?, Section 13435. 

In violattion of Title 18, Unrated States Code, Section 134®. 
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COUNTS 33 JMBBP44 

(Intentwialil Damage to a Proteetfedd Comjjultei-) 

1. The' alJtepaltaias comMfredd in paragraphs s 1 throaigjh 13, 16,, and 1? 
of C©Uiat 1 of thfc Indfetirnemt are re-allfeggdd and incorporated! as though fudlfty 
set forttlfa in this parag^Eipjhh. 

2, On or atetat each of the datfcss set forttin bdbow, in the Distlniict of 
New Uerssay, andl elsewhere, defendants 

FARAMARZ SHAH! mWAMHI and! 

MOHAMMAD MEHDI SffiMHMMfSEXWREI 

knowingly camradl the trannss mission of a progponi, infonnrattdxma, code, and 
comimmtl and, as a resoilt of such conduct!, intentionally causmtl damages 
witheatt authorization to a prottotfedd computer., and the sfcnse causal! loss to 
pemaiss dimiihqyg a 1-year perikxdl from Defendanttfe’ coumsse of condmott affecting 
prototteti compmttess agjgjisg^imigg at least $5„(®0£) in vaJhec, and caused dararug^c 


affecting 10 or mores prottaatfedd compmtferss dunning a U-yeanr peri rod!, desnilfedd 
below for each commit, each train whs shinn consttuttitting a separaite courntt: 


COUNT 

DATE 

VICTIM 

3 

JJanuLurry 11, 2016 

Merearr Country Business in Mercer County, 
New Dersey 

4 

Apriill 25„ 2017 

City of Newark in Newark;, NewUersey 


In viol&tiam of Tittlte 18, United States Code, Sections 103tfi(i$^5>OfA) and 


(c)(4)(B), and 2.. 










COUM1S55ANOX6 

(Tfa8§HlitM|g ft Defmmd in RiMnm to Dama<gji:igg a Protected! ConsQuttc>) 

Tte ail^ttimas comfeairadd in paragraphs s 1 thmcai^h 13, 16, and 17 
of Count 1 of tfafc IndiictmoitL are? re-alleged and inexMrgBratedd as thoa^h M% 
set forth in this panaegnpitili. 

2 . On Of afenwt each of the dates set forttlii bellow.;, in the 1 District of 
New JfensKy, and else wham', defencdknMs 

FARAMARZ &EMBM mWAMDII and 
MOHAMMAD MUHD ISSEMJFMAMSeORJlRI, 

with intent: to extoirtt frormi perasares money and other thiinrggs of valine;, transsmitedd 

in inteia&tee and foreign coramnsmee a comnmni<haht>nn conttaniiugg a dem and and 

requsa&t for money and other thiinqg of valuie in relation to damage to a pratteafedd 

compatdrr, where? such damage was caumed! to facilitate the extortion,, described 

beEc®w for each countt, each trams mission consdinnitiigg a separate coinnt: 


COUNT 

DATE 

VICTIM 

5 

JaumsErjy 11„ 2016 

Me roar County Busikesss in Merger County, 

New Jfersey 

6 

April 25„ 2017 

City of Newarik in Newailk, NewIJersey 


In violation of Titlle 18, United! States Code;, Secttiroms 103®((aX7))(C)) and 
(c)(3)(A)), and 2. 
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FORFEgmUORE SftllllBGflmiCm AS TO COUNTS 1. 3. 4. 5, and 6 


1, As a remUt of committing the offenses changed in Counts 1, 3, 4, S, 
and 6 of this Indikttrnttiitit, defendants 


FARAMARZ SHAH I mWAMfflland 
MOHAMMAD m SHAH MANSOW 

shrill forfeiiittto the Unfitted States 


a. puamtant to Tide M5, Uniitteii Stattes Code, Sections 982(ri)(3J{B) 
and 1033®$)}, any prqpetty, reall or patasmaii, consStitntitigig, or 
deniimd fromm, proemtis obtained dicadtiy or indirectly as a resmilt 
of the offen®ss charged in Coumtfs 1, 3, 4, 5, and 6 of thiis 
Indiiotnaemt; and 

b. puursLuant to Tide 18, Unfitted States Code, Section lQ3J0(i)),aMl 
rigllitt, title, and interest in any peisondl property that was used 
or intended to be used to commit or to facilitate the commissdxnn 
of the offenses chafed in Counts 1, 3, 4, 5, and 6 of this 
IndikHment. 


FORM 


UHESAEDE 


gmow as to coBmnra 


2. As ■& restuilt of committing the offenses changed in Count 2 of thiis 


Indiifltmentit, defendants 


FARAMARZ SHAHI SAVAMDI and 
MOHAMMAD HD! SHAH MANSOttM 

shrill foitfeitttto the Unfitted Stattes, pumnant to Tide 18., Unfitted States Code, 

Section 981K£dl(l()<(0 ana ^ Tide 28, Unfitted States Code, Section 24^11, all 

property, reail and peirsoradl, that constiitiB4.es or is dariimd frorai proceeds 

tr<ased)He to the commission! of the saM offense, and all property traee&iihle 

thereto. 
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siJBSinitnumE Assaaras provision 

(A pplfcflftle to All Fojfettjjce Allggritaoiajs) 


5.. If aiuj of the ahoxe^ds sriiiMd forifeittriiixle ptrcqpatty, as a resndlt of amy 
act or omiisston of Defemttmtets: 

a. cairaiat be located upoam the excutdise of dune diligBurce; 

b. has beeua traost'forcdd or soM to, or deposited with a thikd patty; 

c. has beam plae&ti beyomd the jouiiisliidtikin of the coonfft; 
dL has beam. stiitostarifcMily dimrimiA tedd in valnim; or 

e. has beam coimmh^idd with other pmqpBtty whidh canratt be divided 
withgMutt difficmil^y; 

the United Staltes shrill be emiitteld, pumuiartt to 21 U.S.C. § 8S8{p) (as 
inoQnfporiritdd by 28 U.SC. § 24®h(d) and 18 U.S.C1. §§ 9!§3(t)) amafi 103@((i)])„ to 
forfeittnice of any other prapai$y of the defemdfaaitits up to the vatone of the afawee- 
desmrifedd forfeilfcdiMe pirtqpgT^y. 


A TRUEMLLIL: 



BRIAN A. BENCZKOWSM 
ASSISTANT ATTORNEY GENERAL 
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ATTAOK 


:vi iw 


FT A: RAJNiSfiHffl NOTE TO CITY OF NEWARK (REDBfl 


OM 


IWftat happemsit to ymft folioir 


IHbW to ttflcowar fliaS? 


RSA t a a atiynaetl^Lc e rypt offtdpHic algoribhav, You need one boy Fur encryption ancll bbe boy fur decryjitiiian 
So you need Pod-vato loy bo iwsiwtr year Filles. 

It' b not pallibl* to vooober yoar fill* wiitHniK privJio* May 

IMaw to get pritoMte kof-f? 



Hi&tiS-- Wo Will tepiy bo your tontobt wWh a decryption software, You should mm Do on your afKrotei# PC and all encrypted fairs villi too raooWna 



(ft you send uU 24 BiUJfiditta fee- alt PC‘is„ teat* a ©aotnaatt on oar 51 to witik shin dOtiSIX: Fuat writ* *r<or Alll Jiffecttd PC's* in your coaoant) 

t All fad i'f you want pay for "all! affected PC* a* You can pay 12 Blbntrtng ta raoettne half of Iriyeilraatdod jr) and after you irxLfy i® send 2nd half to raroiae all bays ) 


Hour To Access To Olir Site 


rot access' tJO oct ail we you «U»tl icbtadUl Tor browser and enter our alto OWL in yofiar tor browitr.. 
You can download tar browser from hfctnanfc /'/wwo^hqrpcogeot ■lor'O/ldaw.nload/doVtlnidJhtaill.cn 
Per Mtwc inSamation plea-ae search in Gooqfle *dtev bo access eariion aitew'" 


ft Test Deeryptiton ft 


QUtel our * lie*, You can upload 2 encryptudd fillen and we wilH decasype your files as den. 


IWltnere to hey Bitmdin 


Wo ttdViCe you do buy BSCoodn WLtlfc Cash Deposit or We a tearrJDnian rron http«:///fi>ociitt>)»iacJanin3 .nee/ at h ttrgad v/ tea ice alfe.c aa/buyb C-tcoolns »*f » cwr n .jftp 
Because oht\y doni't need any -torifinatiion amd wand your Batanin (ftlickly. 


RdeHdUiine 






Fibs AvaiiMflieTBo Deca^pt: 2 



LxeaiWE a coironmHTtt 











CASE NUVHHBR: 20taaBnnixi3 


Unlteti States Disiuiidt Court: 
Distrfbtt of New Jens®y 


UNITED «nWDBS OF AMERICA 


v- 

FARAMARZ and 

mohammad mehdi 


INDICTMENT IKOR 

18 U.SJE. §§ 371,, 

103ID(WPI©), 1349,, and 2 
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CRAIG CARPENETO 
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